SYSTEM AND METHOD FOR STORAGE OPERATION ACCESS SECURITY

US 20080091747A1
Filed: 03/30/2007
Published: 04/17/2008
Est. Priority Date: 10/17/2006
Status: Active Grant

First Claim

Patent Images

1. A method of securing storage operations in a data management system, comprising:

receiving a request to perform a storage operation that makes data at a source location available at a destination location;

querying access control information, wherein the access control information is associated in a first manner with the source location; and

applying the access control information to the destination location in a second manner different than the first manner in which the access control information was associated with the source location to at least in part permit, prohibit, or modify the requested storage operation.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for controlling access to stored data is provided. The storage access control system leverages a preexisting security infrastructure of a system to inform the proper access control that should be applied to data stored outside of its original location, such as a data backup. The storage access control system may place similar access control restrictions on the backup files that existed on the original files. In this way, the backed up data is given similar protection as that of the original data.

189 Citations

View as Search Results

60 Claims

1. A method of securing storage operations in a data management system, comprising:
- receiving a request to perform a storage operation that makes data at a source location available at a destination location;
  
  querying access control information, wherein the access control information is associated in a first manner with the source location; and
  
  applying the access control information to the destination location in a second manner different than the first manner in which the access control information was associated with the source location to at least in part permit, prohibit, or modify the requested storage operation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the storage operation comprises a backup of the data from the source location to the destination location.
  - 3. The method of claim 1 wherein the storage operation comprises making a snapshot copy of the data.
  - 4. The method of claim 1 wherein the source location data comprises a file system object.
  - 5. The method of claim 1 wherein the source location data comprises an application data object.
  - 6. The method of claim 1 wherein the destination location comprises a storage device for storing secondary copies of data.
  - 7. The method of claim 1 wherein applying the access control information comprises storing the access control information with the data at the destination location.
  - 8. The method of claim 1 wherein applying the access control information comprises storing the access control information in an index of the data.
  - 9. The method of claim 1 wherein applying the access control information comprises encrypting the data based on the access control information.

10. A system for securing storage operations, comprising:
- a network security component that provides access control for data stored by one or more computers in a networka storage operation component associated with performing storage operations on the data that creates secondary copies of the data; and
  
  an access control migration component that captures access control information maintained by the network security component and applies the access control information to the secondary copies of the data created by the storage operation component.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The system of claim 10 wherein the network security component comprises a user directory.
  - 12. The system of claim 10 wherein the network security component is Microsoft Windows Active Directory.
  - 13. The system of claim 10 wherein the network security component is a file system.
  - 14. The system of claim 10 wherein the storage operation component is a storage application that defines custom access control information.
  - 15. The system of claim 10 wherein the storage operation component performs a backup of the data.
  - 16. The system of claim 10 wherein the access control migration component copies file system access control information to backup data.

17. One or more computer memories collectively containing a data structure for associating access control information with backup data, comprising:
- a security descriptor having one or more access control lists, wherein each access control list contains one or more access control entries; and
  
  a backup data reference that specifies the backup data for which the security descriptor specifies access control information.
- View Dependent Claims (18, 19, 20)
- - 18. The data structure of claim 17 further comprising metadata describing the content of the backup data.
  - 19. The data structure of claim 17 wherein the access control entries contain users and groups defined by a security system.
  - 20. The data structure of claim 17 wherein the backup data reference contains the backup data.

21. A method of creating users who have access to perform data management operations in a data management system, the method comprising:
- identifying at least one preexisting user created in a security system external to the data management system, wherein the user has certain access rights defined by the security system;
  
  creating a group within the data management system that associates one or more users with at least one access right for performing data management operations;
  
  adding the identified at least one preexisting user to the created group within the data management system; and
  
  querying the security system to determine the certain access rights defined by the security system assigned to the identified at least one preexisting user.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The method of claim 21 wherein the preexisting user is a preexisting security group that contains multiple preexisting users and wherein adding the identified at least one preexisting user adds all of the preexisting users within the preexisting group.
  - 23. The method of claim 21 wherein an administrator of the data management system does not have access rights to create new users within the data management system.
  - 24. The method of claim 21 wherein an administrator of the data management system does not have access rights to create new users within the security system.
  - 25. The method of claim 21 wherein the security system external to the data management system is Microsoft Windows Active Directory™
    - .
  - 26. The method of claim 21 including querying the security system to determine an email address associated with the preexisting user such that the email address can be used by the data management system to provide an email update to the preexisting user regarding the status of a storage operation.
  - 27. The method of claim 21 wherein querying the security system to determine the certain access rights defined by the security system assigned to the identified at least one preexisting user comprises determining at least one computer to which the preexisting user has access and including allowing the user to perform data management operations on the determined at least one computer.
  - 28. The method of claim 21 including determining whether a user can perform a selected storage operation based on the certain rights defined by the security system.
  - 29. The method of claim 21 wherein adding the identified at least one preexisting user to the created group within the data management system comprises storing a reference within the created group to a record associated with the preexisting user in the security system.
  - 30. The method of claim 21 wherein the at least one access right for performing data management operations determines which copies of source data stored in multiple copies that a user within the group can access.

31. A computer-readable medium containing instructions for controlling a computer system to migrate users from a preexisting security system to a data management system, by a method comprising:
- receiving a request to create a new security entity in a storage management application of the data management system, wherein the new security entity associates at least one access right for performing a storage management operation with the security entity;
  
  providing a list of one or more preexisting security entities defined by a security infrastructure external to the data management system;
  
  receiving a selection of at least one preexisting security entity defined by the external security infrastructure; and
  
  migrating the at least one selected preexisting security entity defined by the external security infrastructure to the new security entity in the storage management application.
- View Dependent Claims (32, 33, 34, 35, 36)
- - 32. The computer-readable medium of claim 31 wherein migrating the at least one selected preexisting security entity comprises querying information about the preexisting security entity and copying the information to the new security entity.
  - 33. The computer-readable medium of claim 31 wherein the external security infrastructure is a user directory provided by an operating system.
  - 34. The computer-readable medium of claim 31 wherein providing a list of one or more preexisting security entities defined by a security infrastructure external to the data management system comprises retrieving information from multiple external security infrastructures provided by more than one operating system.
  - 35. The computer-readable medium of claim 31 wherein the selected at least one preexisting security entity is an individual user or a group containing one or more users.
  - 36. The computer-readable medium of claim 31 wherein the external security infrastructure provides one or more access control lists that define one or more access rights assigned to each preexisting security entity.

37. A system for securing storage operations in a storage management system, wherein the storage management system interfaces with an external security component configured to store one or more external users and one or more access rights associated with the external users, the system comprising:
- a storage management application configured to store one or more storage management users and to perform storage operations on behalf of the one or more storage management users;
  
  an access control migration component configured to interface with the external security component and with the storage management application, wherein the access control migration component is further configured to capture the one or more access rights associated with selected external users stored by the external security component, create storage management users based on the external users, and apply at least one of the one or more access rights associated with the external users to the created storage management users.
- View Dependent Claims (38, 39, 40)
- - 38. The system of claim 37 wherein capturing the one or more access rights associated with selected external users stored by the external security component comprises capturing supplemental information about the external users including at least a name and email address associated with the external user.
  - 39. The system of claim 37 wherein the storage management application stores with each storage management user access control information describing the types of storage management operations that each storage management user has access to perform.
  - 40. The system of claim 37 wherein the external security component is Microsoft Windows Active Directory™
    - .

41. A method of searching for data objects in a data management system, the method comprising:
- receiving one or more criteria describing at least one data object to be located within the data management system;
  
  identifying one or more data objects stored within the data management system that satisfy the received one or more criteria;
  
  applying one or more access rights associated with the identified one or more data objects stored within the data management system to filter the identified one or more data objects; and
  
  providing a filtered list of results that contains the identified one or more data objects, wherein the list is filtered based on the applied one or more access rights.
- View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 42. The method of claim 41 wherein applying one or more access rights comprises applying rights based on an identity of a user from which the one or more criteria are received, wherein the identity of the user is associated with an external security system.
  - 43. The method of claim 41 wherein applying one or more access rights comprises applying rights based on an identity of a process from which the one or more criteria are received.
  - 44. The method of claim 41 wherein applying one or more access rights comprises applying rights based on an identity of the identified one or more data objects.
  - 45. The method of claim 41 wherein applying one or more access rights comprises applying rights based on content contained within the identified one or more data objects.
  - 46. The method of claim 41 wherein providing a filtered list of results comprises removing identified data objects from the results to which the one or more access rights do not grant access.
  - 47. The method of claim 41 wherein providing a filtered list of results comprises providing an indication that access to the results is restricted for results to which the one or more access rights do not grant access.
  - 48. The method of claim 41 wherein identifying one or more data objects stored within the data management system comprises querying a metabase that maintains an index of data objects stored within the data management system and access control information associated with the data objects to determine data objects that satisfy the one or more received criteria.
  - 49. The method of claim 41 wherein the access rights associated with the identified one or more data objects are based on access control information associated with source data used to create the one or more data objects.
  - 50. The method of claim 41 wherein the data management system contains multiple copies of each data object and wherein the access rights associated with a particular data object provide similar access to the data object for each of the copies of the particular data object.
  - 51. The method of claim 41 wherein the access rights of a user from which the one or more criteria are received are determined by the membership of the user in one or more Active Directory groups.

52. A computer-readable medium containing instructions for controlling a computer system to restrict access to data objects stored within a storage management system, by a method comprising:
- receiving a request identifying a particular copy of a data object for which access rights are to be determined, wherein the data object has multiple copies;
  
  identifying the entity requesting access to the particular copy of the data object;
  
  querying access control information for the particular copy of the data object from the storage management system, wherein the storage management system associates access control information with each data object when a first instance of the data object is encountered and associates the access control information with each subsequent copy of the data object that is created; and
  
  ,indicating whether the identified entity requesting access to the data object is granted access to the data object based on the access control information associated with the data object by the storage management system, wherein the indication is the same regardless of which of the multiple copies of the data object the request identifies.
- View Dependent Claims (53, 54, 55, 56, 57)
- - 53. The computer-readable medium of claim 52 wherein identifying the entity requesting access comprises looking up the entity in a security infrastructure and determining the access rights assigned to the entity by the security infrastructure.
  - 54. The computer-readable medium of claim 52 wherein different storage operations have been applied to each of the copies of the data object having multiple copies.
  - 55. The computer-readable medium of claim 52 wherein storing access control information for each data object when a first instance of the data object is encountered comprises retrieving access control information associated with a file system in which the data object is stored.
  - 56. The computer-readable medium of claim 52 wherein querying access control information for the particular copy of the data object from the storage management system comprises accessing an index that stores information about each copy of the data object and access control information associated with the data object.
  - 57. The computer-readable medium of claim 52 wherein the entity requesting access is a member of a security group and identifying the entity requesting access to the particular copy of the data object comprises determining the access rights assigned to members of the security group.

58. A system for filtering data objects provided in response to a search in a data management system based on access rights associated with the data objects, the system comprising:
- a network security component that provides access control information for data objects stored by one or more computers within the data management system, wherein the access control information is based on access control information associated with source data used to create each data object;
  
  an entity identification component that identifies an entity requesting access to a data object stored within the data management system;
  
  a storage search component that receives criteria and performs searches for data objects within the data management system that satisfy at least one or the criteria; and
  
  a data object access component that determines whether the entity identified by the entity identification component has access to the data objects discovered by the storage search component based on the access control information.
- View Dependent Claims (59, 60)
- - 59. The system of claim 58 wherein the network security component manage storage operations associated with data objects and when a storage operation creates a copy of a data object, migrates access control information associated with the source of the data object to the copy of the data object.
  - 60. The system of claim 58 including a web server component that provides access to data objects and the storage search component through a web browser interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CommVault Systems Incorporated
Original Assignee
CommVault Systems Incorporated
Inventors
Varadharajan, Prakash, Prahlad, Anand, Kavuri, Srinivas

Granted Patent

US 8,655,914 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

SYSTEM AND METHOD FOR STORAGE OPERATION ACCESS SECURITY

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

189 Citations

60 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR STORAGE OPERATION ACCESS SECURITY

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

189 Citations

60 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links